@shnitzel/plugscout 0.3.1

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Amit Rintzler
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,228 @@
+<h1 align="center">PlugScout</h1>
+
+<p align="center">
+  <a href="https://github.com/amitrintzler/skills-and-mcps/releases/latest"><img alt="Release" src="https://img.shields.io/github/v/release/amitrintzler/skills-and-mcps?display_name=tag&label=release" /></a>
+  <a href="https://github.com/amitrintzler/skills-and-mcps/actions/workflows/ci.yml"><img alt="CI" src="https://github.com/amitrintzler/skills-and-mcps/actions/workflows/ci.yml/badge.svg?branch=main" /></a>
+  <a href="https://nodejs.org/"><img alt="Node >=18.17" src="https://img.shields.io/badge/node-%3E%3D18.17-339933?logo=node.js&logoColor=white" /></a>
+  <a href="https://www.linkedin.com/in/amit-rintzler-94444535/"><img alt="LinkedIn Amit Rintzler" src="https://img.shields.io/badge/LinkedIn-Amit%20Rintzler-0A66C2?logo=linkedin&logoColor=white" /></a>
+</p>
+
+<p align="center">
+  <a href="https://github.com/amitrintzler/skills-and-mcps/actions/workflows/daily-security.yml"><img alt="Daily Security" src="https://github.com/amitrintzler/skills-and-mcps/actions/workflows/daily-security.yml/badge.svg?branch=main" /></a>
+  <a href="https://github.com/amitrintzler/skills-and-mcps/actions/workflows/security-codeql.yml"><img alt="Security / CodeQL" src="https://github.com/amitrintzler/skills-and-mcps/actions/workflows/security-codeql.yml/badge.svg?branch=main" /></a>
+  <a href="https://github.com/amitrintzler/skills-and-mcps/actions/workflows/security-dependency-review.yml"><img alt="Dependency Review (PR)" src="https://img.shields.io/badge/dependency%20review-PR%20only-2563eb" /></a>
+  <a href="https://github.com/amitrintzler/skills-and-mcps/actions/workflows/security-secrets.yml"><img alt="Secrets Scan" src="https://img.shields.io/badge/secrets-gitleaks-ef4444" /></a>
+  <a href="https://github.com/amitrintzler/skills-and-mcps/actions/workflows/security-sbom-trivy.yml"><img alt="SBOM + Trivy" src="https://img.shields.io/badge/SBOM%20%2B%20Trivy-enabled-0ea5e9" /></a>
+  <a href="https://github.com/amitrintzler/skills-and-mcps/actions/workflows/catalog-sync.yml"><img alt="Catalog Sync (Scheduled)" src="https://img.shields.io/badge/catalog%20sync-scheduled-0ea5e9" /></a>
+</p>
+
+PlugScout helps teams discover, score, and safely install Claude plugins, Claude connectors, Copilot extensions, Skills, and MCP servers with policy-aware risk controls.
+
+Written by Amit Rintzler.
+
+License: MIT. Copyright (c) 2026 Amit Rintzler. Reuse is allowed, but redistributed copies must keep the copyright and license notice.
+
+Quick links:
+- [Install](#install-plugscout-v020)
+- [Quick Start](#quick-start-2-minute-path)
+- [Core Commands](#core-commands)
+- [Safety Model](#safety-model)
+- [Docs](#where-to-go-next)
+
+## What is PlugScout?
+
+PlugScout is a Node.js CLI that unifies multiple AI tooling ecosystems into one searchable catalog and applies trust/risk policy before installation.
+
+You can:
+- Discover Claude plugins, Claude connectors, Copilot extensions, Skills, and MCP servers from one place.
+- Score candidates using trust-first ranking.
+- Enforce install gates using whitelist + quarantine policy.
+- Run continuous checks in CI and scheduled workflows.
+
+## Who this is for
+
+- Teams managing AI tooling catalogs across providers.
+- Developers who want safe recommendations for a specific repository.
+- Maintainers responsible for whitelist/quarantine governance.
+
+## Prerequisites
+
+- Node.js `>=18.17`
+- npm
+- `skills` CLI or `npx` for modern skill installs
+- `skill.sh` is optional and only needed for some legacy `skill.sh`-style installs
+
+## Install PlugScout (v0.3.1)
+
+**Global install (recommended):**
+
+```bash
+npm install -g plugscout
+plugscout setup
+```
+
+`plugscout setup` is a single command that installs prerequisites, writes default config, and syncs all catalogs. No extra steps needed.
+
+**From source:**
+
+```bash
+git clone https://github.com/amitrintzler/skills-and-mcps.git plugscout
+cd plugscout
+git checkout v0.3.1
+npm install
+npm run setup
+```
+
+Install newest release tag instead of pinning `v0.3.1`:
+
+```bash
+git checkout $(git describe --tags --abbrev=0)
+```
+
+## Quick Start (2-minute path)
+
+```bash
+npm install -g plugscout
+plugscout setup
+plugscout scan --project . --format table
+plugscout recommend --project . --only-safe --sort trust --limit 10
+```
+
+Or from source:
+
+```bash
+npm install && npm run setup
+npm run scan -- --project . --format table
+npm run recommend -- --project . --only-safe --sort trust --limit 10 --details
+```
+
+Run `plugscout` with no args to open the home screen.
+
+Important: `top` and `recommend` are repo-aware rankings, not global popularity charts. A higher score means a better match for the current repository under the active policy, using `fit + trust + freshness - security - blocked`. Review each suggestion before installing, and do not install blindly from rank alone.
+
+Installs are now review-gated: run `show --id <catalog-id>` or `assess --id <catalog-id>` before `install`. Use `--override-review` only when you intentionally want to bypass that safeguard.
+
+For supported legacy MCP entries, PlugScout now prefers direct installers when the target is unambiguous:
+- npm package targets install through `npm install -g`
+- container targets install through `docker pull`
+- ambiguous or binary-asset installs remain explicit/manual
+
+PlugScout also performs a daily interactive update check against GitHub Releases and prints a download hint when a newer release is available.
+
+Video preview/render commands are optional maintainer tooling. They are kept in `devDependencies` and are not required to install or run the CLI package.
+
+## Typical Workflow
+
+Use this lifecycle for day-to-day operation:
+
+```bash
+npm run sync
+npm run scan -- --project . --format table
+npm run top -- --project . --limit 5
+npm run recommend -- --project . --only-safe --sort trust --limit 10 --explain-scan
+npm run assess -- --id mcp:filesystem
+npm run install:item -- --id mcp:filesystem --yes
+```
+
+Expected output shape (trimmed):
+
+```text
+ID                                TYPE                PROVIDER    RISK      BLOCKED
+copilot-extension:actions-...     copilot-extension   github      low(0)    false
+claude-plugin:repo-threat-...     claude-plugin       anthropic   low(0)    false
+skill:ci-hardening                skill               openai      low(0)    false
+```
+
+## Core Commands
+
+| Command | Purpose |
+| --- | --- |
+| `npm run setup` | **One-step setup**: install prerequisites + init config + sync catalogs |
+| `npm run about` | Show version and framework scope |
+| `npm run init` | Create project defaults and setup local config (interactive) |
+| `npm run doctor -- --install-deps` | Validate runtime prerequisites and bootstrap the `skills` CLI when missing |
+| `npm run sync` | Refresh catalog data from configured registries |
+| `npm run scan -- --project . --format table` | Analyze repository capabilities/archetype |
+| `npm run top -- --project . --limit 5` | Show top-ranked items for the current context |
+| `npm run top -- --project . --limit 5 --details` | Explain rank math, trust/risk interpretation, and install hint per item |
+| `npm run recommend -- --project . --only-safe --sort trust --limit 10` | Generate policy-aware recommendations |
+| `npm run recommend -- --project . --only-safe --sort trust --limit 10 --details` | Include per-item acceptance evidence (provenance, reasons, tradeoffs) |
+| `npm run assess -- --id <catalog-id>` | Evaluate risk for one candidate before install |
+| `npm run install:item -- --id <catalog-id> --yes --install-deps` | Install a candidate if policy allows and bootstrap supported install deps when requested |
+| `npm run status -- --verbose` | Report catalog health, staleness, and policy status |
+| `node dist/cli.js web --open` | Generate readable HTML report with score legend and decision cards |
+
+Packaged CLI-only commands:
+
+- `plugscout setup` (**first-time setup**: prerequisites + config + sync in one step)
+- `plugscout` (home screen)
+- `plugscout upgrade check`
+- `plugscout web --open` (readable browser report)
+- `plugscout <command> --no-update-check` (skip daily auto-check for the current run)
+
+Full command reference: [`docs/cli-reference.md`](docs/cli-reference.md)
+
+## Safety Model
+
+PlugScout blocks high-risk and critical installs by default.
+
+| Tier | Score | Default install policy |
+| --- | --- | --- |
+| low | 0-24 | allow |
+| medium | 25-49 | allow with warning |
+| high | 50-74 | block |
+| critical | 75-100 | block |
+
+Risk score meaning:
+- `0` is lowest observed risk signal.
+- `100` is highest risk signal.
+- Higher score means higher risk and stronger install gating.
+
+Whitelist and quarantine state are enforced in recommendation and install flows, and can be continuously maintained with daily verification/quarantine automation.
+
+Security deep-dive: [`docs/security/README.md`](docs/security/README.md)
+
+## Plugin and Connector Catalog Sources
+
+- Claude plugins: `https://claude.com/plugins` (scraped with sanitization + host allowlist guards)
+- Claude connectors: `https://claude.com/connectors` (scraped with sanitization + host allowlist guards)
+- Anthropic GitHub plugin manifests: `anthropics/claude-plugins-official`, `anthropics/knowledge-work-plugins`, `anthropics/financial-services-plugins`
+- GitHub skills marketplaces: `numman-ali/n-skills`, `mhattingpete/claude-skills-marketplace`, `neondatabase-labs/ai-rules`
+- GitHub Claude Code plugin marketplaces: `docker/claude-plugins`, `pleaseai/claude-code-plugins`
+- Copilot plugins (official): `https://raw.githubusercontent.com/github/copilot-plugins/main/.github/plugin/marketplace.json`
+- Copilot plugins (curated): `https://raw.githubusercontent.com/github/awesome-copilot/main/.github/plugin/marketplace.json`
+
+Legacy endpoints returning `404` are not used for sync anymore:
+
+- `https://api.anthropic.com/v1/plugins/catalog`
+- `https://api.github.com/copilot/extensions/catalog`
+
+## Where To Go Next
+
+- Architecture: [`docs/architecture.md`](docs/architecture.md)
+- CLI Reference: [`docs/cli-reference.md`](docs/cli-reference.md)
+- Security: [`docs/security/README.md`](docs/security/README.md)
+- CI Quarantine Automation: [`docs/ci/daily-quarantine.md`](docs/ci/daily-quarantine.md)
+- End-to-End Use Cases: [`docs/use-cases.md`](docs/use-cases.md)
+- Configuration and Data Reference: [`docs/reference.md`](docs/reference.md)
+- Functionality Validation Matrix: [`docs/validation-functionality.md`](docs/validation-functionality.md)
+
+## Contributing
+
+- Follow repository standards in [`AGENTS.md`](AGENTS.md).
+- Run checks before opening a PR:
+
+```bash
+npm run lint
+npm run test
+npm run build
+```
+
+## Support
+
+- Open an issue in the repository for bugs or feature requests.
+- Include command, input, and output snippets when reporting failures.
+
+## License
+
+This repository does not yet include a root `LICENSE` file. Choose and add one before publishing for third-party reuse.

package/assets/cli/logo.txt

@@ -0,0 +1,24 @@
+   .-----------------------------------------.
+   |   Scouting plugins so you don't have to. |
+   '-----------------------------------------'
+                            \/
+                      ___________
+                    _/ ★  ☆  ★  \_
+                   /_______________\
+                   |_________________|
+                   |   (◉)     (◉)  |
+                   |        ∧        |
+                   |    '~~~~~~~'    |
+                   |_________________|
+                  _/|    [ * ]    |\_
+                 /  |_______________|  \
+                      |           |
+                     _|           |_
+                    (_)           (_)
+██████╗ ██╗     ██╗   ██╗ ██████╗ ███████╗ ██████╗ ██████╗ ██╗   ██╗████████╗
+██╔══██╗██║     ██║   ██║██╔════╝ ██╔════╝██╔════╝██╔═══██╗██║   ██║╚══██╔══╝
+██████╔╝██║     ██║   ██║██║  ███╗███████╗██║     ██║   ██║██║   ██║   ██║
+██╔═══╝ ██║     ██║   ██║██║   ██║╚════██║██║     ██║   ██║██║   ██║   ██║
+██║     ███████╗╚██████╔╝╚██████╔╝███████║╚██████╗╚██████╔╝╚██████╔╝   ██║
+╚═╝     ╚══════╝ ╚═════╝  ╚═════╝ ╚══════╝ ╚═════╝ ╚═════╝  ╚═════╝   ╚═╝
+                                   {{version}}  ·  maintained by {{author}}

package/config/item-insights.json

@@ -0,0 +1,316 @@
+{
+  "insights": [
+    {
+      "id": "skill:secure-prompting",
+      "benefitSummary": "Reduces prompt-injection and unsafe output risk in agent workflows.",
+      "bestFor": ["Agent apps", "Security-focused AI features", "LLM integrations"],
+      "whenToUse": ["Before shipping prompt-driven features", "When adding external context/tool calls"],
+      "tradeoffs": ["Adds stricter prompts and validation steps", "Can reduce response flexibility"],
+      "usageNotes": ["Pair with strict security posture", "Use with risk assessment before install in CI"]
+    },
+    {
+      "id": "skill:ci-hardening",
+      "benefitSummary": "Raises CI trust by enforcing least-privilege, deterministic builds, and stronger scan gates.",
+      "bestFor": ["Repositories with GitHub Actions", "Teams with compliance requirements"],
+      "whenToUse": ["When PR checks are unstable", "Before open-source release"],
+      "tradeoffs": ["More strict checks can initially fail often", "Requires policy tuning"],
+      "usageNotes": ["Start in warn mode for new policies, then move to blocking"]
+    },
+    {
+      "id": "skill:threat-modeling-lite",
+      "benefitSummary": "Finds critical security gaps early with fast, repeatable threat-model templates.",
+      "bestFor": ["Security reviews", "Architecture changes", "New attack surface"],
+      "whenToUse": ["Before major releases", "When adding auth/network features"],
+      "tradeoffs": ["Requires reviewer time", "Needs periodic updates as architecture changes"],
+      "usageNotes": ["Attach output to PRs for audit traceability"]
+    },
+    {
+      "id": "skill:release-readiness",
+      "benefitSummary": "Improves release quality with structured gates for versioning, changelog, and test health.",
+      "bestFor": ["Semver-managed projects", "Teams with frequent releases"],
+      "whenToUse": ["Before tagging release", "During RC validation"],
+      "tradeoffs": ["Adds process overhead", "Can block rushed releases"],
+      "usageNotes": ["Combine with CI build + test + audit checks"]
+    },
+    {
+      "id": "skill:docs-automation",
+      "benefitSummary": "Keeps technical docs aligned with code and CLI behavior with lower manual effort.",
+      "bestFor": ["CLI frameworks", "Security workflow docs", "Onboarding guides"],
+      "whenToUse": ["After command changes", "Before publish"],
+      "tradeoffs": ["Generated docs still need human review", "Can drift if not run regularly"],
+      "usageNotes": ["Run from CI for consistent docs freshness"]
+    },
+    {
+      "id": "skill:fast-web-scrape",
+      "benefitSummary": "Accelerates bulk web extraction tasks for catalog enrichment and monitoring.",
+      "bestFor": ["Data gathering", "Market catalog snapshots"],
+      "whenToUse": ["When ingestion sources are fragmented", "For non-official optional feeds"],
+      "tradeoffs": ["Higher legal/compliance risk", "Potential anti-bot breakage"],
+      "usageNotes": ["Use only where source terms allow scraping"]
+    },
+    {
+      "id": "skill:docker-container-ops",
+      "benefitSummary": "Improves container build reliability, image hygiene, and local-to-CI consistency.",
+      "bestFor": ["Containerized services", "CI pipelines", "Developer platform teams"],
+      "whenToUse": ["When Dockerfiles grow complex", "When image size or startup time matters"],
+      "tradeoffs": ["Can require base image and workflow changes", "Hardening may slow builds initially"],
+      "usageNotes": ["Use with dependency scanning and least-privilege container defaults"]
+    },
+    {
+      "id": "skill:kubernetes-ops",
+      "benefitSummary": "Reduces rollout risk by improving Kubernetes config review, debugging, and operational safety.",
+      "bestFor": ["Platform teams", "Multi-service deployments", "Container orchestration"],
+      "whenToUse": ["When manifests or Helm charts change", "When incidents involve rollout or networking issues"],
+      "tradeoffs": ["Cluster behavior can vary by environment", "Requires strong config discipline"],
+      "usageNotes": ["Pair with policy checks and progressive delivery where possible"]
+    },
+    {
+      "id": "skill:terraform-guardrails",
+      "benefitSummary": "Adds safer infrastructure changes with plan review, policy checks, and drift-aware workflows.",
+      "bestFor": ["Infrastructure as code", "Multi-environment cloud estates", "Platform governance"],
+      "whenToUse": ["Before apply", "During IAM/networking changes", "When reviewing drift-prone stacks"],
+      "tradeoffs": ["More checks can slow urgent changes", "Requires shared policy conventions"],
+      "usageNotes": ["Use with separate plan/apply stages and reviewed state backends"]
+    },
+    {
+      "id": "skill:aws-platform-ops",
+      "benefitSummary": "Speeds AWS delivery and troubleshooting across IAM, networking, compute, and serverless workflows.",
+      "bestFor": ["AWS-heavy teams", "Application platforms", "Cloud operations"],
+      "whenToUse": ["When launching new workloads", "When debugging permissions, scaling, or runtime issues"],
+      "tradeoffs": ["AWS service sprawl can increase context load", "Environment parity matters"],
+      "usageNotes": ["Keep environment-specific settings explicit and review IAM changes carefully"]
+    },
+    {
+      "id": "skill:postgres-ops",
+      "benefitSummary": "Improves database reliability through better query analysis, migration review, and indexing decisions.",
+      "bestFor": ["Transactional backends", "Data-heavy apps", "Teams running PostgreSQL in production"],
+      "whenToUse": ["When queries regress", "Before schema migrations", "When latency or lock contention rises"],
+      "tradeoffs": ["Tuning can require production-specific context", "Indexing choices can increase write cost"],
+      "usageNotes": ["Validate with explain plans and staged migration rollouts"]
+    },
+    {
+      "id": "skill:observability-incident-response",
+      "benefitSummary": "Shortens time-to-understanding during incidents by correlating logs, metrics, traces, and timelines.",
+      "bestFor": ["On-call teams", "SRE/platform groups", "Production services with telemetry"],
+      "whenToUse": ["During incidents", "For noisy regressions", "Before writing postmortems"],
+      "tradeoffs": ["Signal quality depends on telemetry coverage", "Too many dashboards can slow triage"],
+      "usageNotes": ["Prefer a small set of trusted dashboards and preserve incident notes as you investigate"]
+    },
+    {
+      "id": "mcp:filesystem",
+      "benefitSummary": "Safe local file operations for analysis, diffing, and controlled write workflows.",
+      "bestFor": ["Local development", "Refactor support", "Repository maintenance"],
+      "whenToUse": ["When tool needs workspace file access"],
+      "tradeoffs": ["Needs strict path controls", "Write access can be dangerous without guardrails"],
+      "usageNotes": ["Prefer read-first policies in sensitive repos"]
+    },
+    {
+      "id": "mcp:github-actions-auditor",
+      "benefitSummary": "Detects insecure workflow patterns and permission issues before they reach production.",
+      "bestFor": ["GitHub Actions-heavy repos", "Security hardening efforts"],
+      "whenToUse": ["After workflow edits", "During security reviews"],
+      "tradeoffs": ["Can produce noisy findings initially", "Needs suppression policy"],
+      "usageNotes": ["Pair with CodeQL + dependency review checks"]
+    },
+    {
+      "id": "mcp:dependency-intel",
+      "benefitSummary": "Adds actionable dependency risk context and upgrade paths for faster remediation.",
+      "bestFor": ["Node/Python ecosystems", "SBOM-driven programs"],
+      "whenToUse": ["When audit reports are frequent", "Before release cut"],
+      "tradeoffs": ["Requires periodic feed updates", "May recommend breaking upgrades"],
+      "usageNotes": ["Use with allowlist policy and risk tiers"]
+    },
+    {
+      "id": "mcp:policy-as-code",
+      "benefitSummary": "Enforces repeatable policy decisions across CI/CD and repo configuration.",
+      "bestFor": ["Governance teams", "High-compliance projects"],
+      "whenToUse": ["When manual review is inconsistent", "Before scaling contributor base"],
+      "tradeoffs": ["Policy authoring takes time", "Overly strict policies can reduce velocity"],
+      "usageNotes": ["Start with visibility mode then enforce"]
+    },
+    {
+      "id": "mcp:release-governance",
+      "benefitSummary": "Prevents weak releases by validating versioning, gates, and readiness evidence.",
+      "bestFor": ["Package publishers", "Teams with release SLAs"],
+      "whenToUse": ["Pre-release checklist", "Hotfix validation"],
+      "tradeoffs": ["Introduces extra release checks", "Needs agreement on policy thresholds"],
+      "usageNotes": ["Integrate with changelog + semver automation"]
+    },
+    {
+      "id": "mcp:repo-observability",
+      "benefitSummary": "Tracks quality/security trends so regressions are visible early.",
+      "bestFor": ["Long-lived repos", "Cross-team platform ownership"],
+      "whenToUse": ["Weekly health reviews", "Incident follow-ups"],
+      "tradeoffs": ["Needs baseline metrics", "Can add dashboard noise"],
+      "usageNotes": ["Focus on a small set of KPIs first"]
+    },
+    {
+      "id": "mcp:remote-browser",
+      "benefitSummary": "Enables browser automation workflows for dynamic UIs and end-to-end checks.",
+      "bestFor": ["UI validation", "Synthetic user flows"],
+      "whenToUse": ["When APIs are insufficient for validation"],
+      "tradeoffs": ["Higher security exposure via remote control", "More flaky than API-level tests"],
+      "usageNotes": ["Currently high-risk in this policy setup; requires explicit override"]
+    },
+    {
+      "id": "mcp:io.github.github/github-mcp-server",
+      "benefitSummary": "Brings first-party GitHub repository, issue, and PR workflows directly into agent tooling.",
+      "bestFor": ["GitHub-centric teams", "Code review workflows", "Repository automation"],
+      "whenToUse": ["When triaging issues or PRs", "When automating repository maintenance"],
+      "tradeoffs": ["Requires careful token scoping", "Can create noisy automation if overused"],
+      "usageNotes": ["Prefer least-privilege GitHub auth and explicit write approvals"]
+    },
+    {
+      "id": "mcp:io.github.grafana/mcp-grafana",
+      "benefitSummary": "Makes dashboards, metrics, and incident context queryable from the same workflow as code changes.",
+      "bestFor": ["SRE teams", "On-call engineers", "Platform observability workflows"],
+      "whenToUse": ["During incident triage", "When validating production impact of a change"],
+      "tradeoffs": ["Signal quality depends on dashboard hygiene", "Access control must match production sensitivity"],
+      "usageNotes": ["Use with a small set of trusted dashboards and alert entry points"]
+    },
+    {
+      "id": "mcp:io.github.browserbase/mcp-server-browserbase",
+      "benefitSummary": "Adds reliable cloud browser automation for login-heavy or dynamic product flows.",
+      "bestFor": ["QA automation", "Customer workflow validation", "Browser-based data collection"],
+      "whenToUse": ["When APIs are insufficient", "When reproducing browser-only failures"],
+      "tradeoffs": ["Browser automation is slower and costlier than API checks", "Needs secret handling discipline"],
+      "usageNotes": ["Use for high-value user flows, not every validation path"]
+    },
+    {
+      "id": "mcp:com.cloudflare.mcp/mcp",
+      "benefitSummary": "Connects code changes to Cloudflare deployment, routing, storage, and edge configuration workflows.",
+      "bestFor": ["Edge apps", "Workers deployments", "Platform teams using Cloudflare"],
+      "whenToUse": ["When debugging edge behavior", "When rolling out infra or platform changes"],
+      "tradeoffs": ["Environment drift can hide configuration mistakes", "Write access should be tightly scoped"],
+      "usageNotes": ["Pair with explicit environment targeting and change review"]
+    },
+    {
+      "id": "mcp:io.github.upstash/context7",
+      "benefitSummary": "Supplies up-to-date technical documentation context without depending on stale model memory.",
+      "bestFor": ["Library-heavy projects", "Framework migrations", "Agent-assisted coding"],
+      "whenToUse": ["When working across fast-moving libraries", "When docs accuracy matters more than speed"],
+      "tradeoffs": ["Adds a docs lookup hop", "Coverage depends on upstream indexing"],
+      "usageNotes": ["Prefer it for framework and SDK questions before relying on memory"]
+    },
+    {
+      "id": "claude-plugin:workspace-ops",
+      "benefitSummary": "Speeds internal operations by letting teams query docs/tasks from Claude.",
+      "bestFor": ["Knowledge-heavy orgs", "Ops workflows"],
+      "whenToUse": ["For internal support and coordination"],
+      "tradeoffs": ["Depends on source system quality", "Access control must be verified"],
+      "usageNotes": ["Scope permissions to least privilege"]
+    },
+    {
+      "id": "claude-plugin:repo-threat-review",
+      "benefitSummary": "Improves PR security review quality with threat-oriented feedback loops.",
+      "bestFor": ["Security-conscious engineering teams", "Critical repos"],
+      "whenToUse": ["On risky PRs", "When adding new integrations"],
+      "tradeoffs": ["Can surface many low-priority findings", "Needs tuning to team context"],
+      "usageNotes": ["Use with blocked-tier policy for merge gates"]
+    },
+    {
+      "id": "claude-plugin:incident-summarizer",
+      "benefitSummary": "Cuts incident response time by turning fragmented logs into coherent timelines.",
+      "bestFor": ["On-call teams", "Postmortems"],
+      "whenToUse": ["During incident triage", "After outages"],
+      "tradeoffs": ["Quality depends on input signal quality", "May miss hidden causal chains"],
+      "usageNotes": ["Keep manual validation loop before final report"]
+    },
+    {
+      "id": "claude-plugin:compliance-evidence",
+      "benefitSummary": "Automates evidence collection for audits and recurring compliance checks.",
+      "bestFor": ["SOC2/ISO-style programs", "Security governance"],
+      "whenToUse": ["Before audits", "For monthly compliance snapshots"],
+      "tradeoffs": ["Can produce bulky evidence sets", "Needs clear retention strategy"],
+      "usageNotes": ["Store outputs in immutable audit artifacts"]
+    },
+    {
+      "id": "claude-plugin:mcp-toolkit",
+      "benefitSummary": "Lets Claude Code reach containerized MCP servers through Docker's gateway tooling instead of bespoke local setup.",
+      "bestFor": ["Teams standardizing on Docker Desktop", "Cross-platform local development", "MCP-heavy workflows"],
+      "whenToUse": ["When local MCP setup is fragmented", "When you want repeatable dev environments"],
+      "tradeoffs": ["Adds Docker Desktop as a dependency", "Container mediation can hide low-level issues"],
+      "usageNotes": ["Best fit when your team already uses Docker as the local platform standard"]
+    },
+    {
+      "id": "claude-plugin:chrome-devtools-mcp",
+      "benefitSummary": "Gives Claude Code high-fidelity browser debugging for performance, DOM, and runtime inspection tasks.",
+      "bestFor": ["Frontend engineering", "Web debugging", "Performance troubleshooting"],
+      "whenToUse": ["When browser issues are hard to reproduce from logs alone", "When inspecting live UI state matters"],
+      "tradeoffs": ["Can be slower than unit-level validation", "Needs care around pages with sensitive content"],
+      "usageNotes": ["Use it selectively for interactive debugging and regression validation"]
+    },
+    {
+      "id": "claude-plugin:firebase",
+      "benefitSummary": "Connects app development workflows to a widely used backend platform for faster iteration on auth, data, and hosting.",
+      "bestFor": ["Product teams using Firebase", "Rapid app development", "Mobile and web backends"],
+      "whenToUse": ["When your stack depends on Firebase services", "When debugging app/backend integration issues"],
+      "tradeoffs": ["Tight platform coupling can reduce portability", "Environment separation matters"],
+      "usageNotes": ["Keep project and environment targeting explicit to avoid accidental production changes"]
+    },
+    {
+      "id": "copilot-extension:repo-security",
+      "benefitSummary": "Brings dependency and code-scan findings directly into developer workflows.",
+      "bestFor": ["GitHub-native teams", "Shift-left security adoption"],
+      "whenToUse": ["During PR authoring/review", "When fixing vulnerabilities"],
+      "tradeoffs": ["Findings volume may overwhelm teams at first", "Requires triage discipline"],
+      "usageNotes": ["Use with severity thresholds in CI"]
+    },
+    {
+      "id": "copilot-extension:actions-guardian",
+      "benefitSummary": "Hardens GitHub Actions quickly with actionable permission and supply-chain checks.",
+      "bestFor": ["Repos with many workflows", "Security hardening programs"],
+      "whenToUse": ["After workflow changes", "Before enabling public contributions"],
+      "tradeoffs": ["May flag legacy patterns aggressively", "Requires remediation backlog"],
+      "usageNotes": ["Pair with branch protection required checks"]
+    },
+    {
+      "id": "copilot-extension:sbom-advisor",
+      "benefitSummary": "Turns SBOM/security data into prioritized fix plans for maintainers.",
+      "bestFor": ["Dependency-heavy repos", "Security operations teams"],
+      "whenToUse": ["After SBOM generation", "For quarterly risk reviews"],
+      "tradeoffs": ["Requires accurate package metadata", "False positives possible"],
+      "usageNotes": ["Cross-check with Dependabot and audit outputs"]
+    },
+    {
+      "id": "copilot-extension:release-gatekeeper",
+      "benefitSummary": "Ensures release quality by enforcing agreed policy gates in one flow.",
+      "bestFor": ["Teams with strict release policies", "Public package maintainers"],
+      "whenToUse": ["Before release publish", "Before tag creation"],
+      "tradeoffs": ["Can block urgent releases", "Needs calibrated policy exceptions"],
+      "usageNotes": ["Define emergency override process upfront"]
+    },
+    {
+      "id": "skill:open-source-maintainer",
+      "benefitSummary": "Systematizes GitHub maintenance workflows across issues, PRs, contributor activity, and release hygiene.",
+      "bestFor": ["Open-source maintainers", "Engineering leads", "Busy repository owners"],
+      "whenToUse": ["When project maintenance starts consuming too much ad hoc time", "Before release or backlog cleanup cycles"],
+      "tradeoffs": ["Can formalize workflows that were previously lightweight", "Still needs human judgment on community interactions"],
+      "usageNotes": ["Use it with a clear triage policy and issue/PR labeling scheme"]
+    },
+    {
+      "id": "skill:orchestration",
+      "benefitSummary": "Improves complex task execution by structuring decomposition, delegation, and multi-step coordination.",
+      "bestFor": ["Agentic workflows", "Large refactors", "Parallelizable engineering work"],
+      "whenToUse": ["When a task spans multiple domains", "When one pass of a single agent is insufficient"],
+      "tradeoffs": ["Coordination overhead can outweigh benefits on simple tasks", "Bad task boundaries create churn"],
+      "usageNotes": ["Use for genuinely multi-step work, not routine single-file edits"]
+    },
+    {
+      "id": "skill:engineering-workflow-skills",
+      "benefitSummary": "Bundles practical software delivery skills like planning, test fixing, and code review execution into one reusable workflow layer.",
+      "bestFor": ["General software engineering", "Teams with repeatable coding workflows", "Maintainers juggling multiple tasks"],
+      "whenToUse": ["When work repeatedly follows the same engineering loop", "When consistency matters across contributors"],
+      "tradeoffs": ["Broad workflow bundles can be less opinionated than specialized skills", "May overlap with local team conventions"],
+      "usageNotes": ["Use as a default engineering baseline, then layer narrower skills as needed"]
+    },
+    {
+      "id": "skill:neon-plugin",
+      "benefitSummary": "Specializes database development around Neon, Postgres, auth, and modern serverless data workflows.",
+      "bestFor": ["Neon-backed apps", "Serverless Postgres stacks", "Teams using Drizzle or modern TS backends"],
+      "whenToUse": ["When schema, auth, or query workflows are tied to Neon", "When app and database changes move together"],
+      "tradeoffs": ["Strong vendor coupling", "Less useful outside the Neon ecosystem"],
+      "usageNotes": ["Best fit when Neon is an explicit platform dependency, not a hypothetical future option"]
+    }
+  ]
+}

package/config/providers.json

@@ -0,0 +1,46 @@
+{
+  "providers": [
+    {
+      "id": "mcp",
+      "enabled": true,
+      "officialOnly": true,
+      "trustLevel": "high",
+      "poll": {
+        "mode": "daily",
+        "rateLimitPerMinute": 120
+      }
+    },
+    {
+      "id": "openai",
+      "enabled": true,
+      "officialOnly": false,
+      "trustLevel": "medium",
+      "poll": {
+        "mode": "daily",
+        "rateLimitPerMinute": 60
+      }
+    },
+    {
+      "id": "anthropic",
+      "enabled": true,
+      "officialOnly": true,
+      "trustLevel": "high",
+      "authEnv": "ANTHROPIC_API_KEY",
+      "poll": {
+        "mode": "daily",
+        "rateLimitPerMinute": 60
+      }
+    },
+    {
+      "id": "github",
+      "enabled": true,
+      "officialOnly": false,
+      "authEnv": "GITHUB_TOKEN",
+      "trustLevel": "high",
+      "poll": {
+        "mode": "daily",
+        "rateLimitPerMinute": 90
+      }
+    }
+  ]
+}